Field
The present disclosure relates generally to validation of control-flow transfers, and more specifically to methods and apparatus for packet-based validation of control-flow transfers for hardware control-flow enforcement.
Background
Computers are frequently targeted by malicious attackers who wish to gain control or manipulate software behavior. One way attackers can gain control of software is by exploiting software flaws or errors. For example, software implementation errors such as missing or incorrect input validation lead to overflow or out-of-bounds buffer accesses and memory corruption. Under normal conditions, these errors cause the software to become unstable and eventually crash. When an input is manipulated by a malicious attacker, however, these overflow bugs or memory corruptions can be exploited to change the expected behavior of the code and execute codes or functionalities determined by the attacker. A way that an attacker then typically gains control of execution is by overwriting a data structure in memory, such as a return address, a function pointer, or a virtual-table pointer.
Finding and fixing all exploitable memory-corruption bugs in large and legacy code-bases is not always possible. Therefore, most systems contain general defensive features, called “exploit mitigation mechanisms,” that are effective against well-known techniques attackers use to exploit these bugs to gain control of the targeted systems.
Existing techniques for preventing exploitation of these vulnerabilities include Data Execution Prevention (DEP), Stack Protection (SP) and Address Space Layout Randomization (ASLR). There are also schemes that obfuscate sensitive pointers in software using macros or function calls (glibc and Win32). This prevents easily replacing these pointers or exposing their values. Obfuscation with a simple XOR function is the best that can be done in software because of performance concerns. Furthermore, with encryption or obfuscation, it is very hard to verify the decrypted value.
Accordingly, a need exists for an easier way for validating control flow carried out by a processor in order to more efficiently prevent exploitation of software flaws or errors by attackers.